Changeset 27811


Ignore:
Timestamp:
Mar 17, 2014, 11:20:28 PM (6 years ago)
Author:
plg
Message:

merge r27810 from branch 2.6 to trunk

bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6
(pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add,
pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove)

Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/admin/themes/default/template/user_list.tpl

    r26270 r27811  
    5757      url: "ws.php?format=json&method=pwg.users.add",
    5858      type:"POST",
    59       data: jQuery(this).serialize(),
     59      data: jQuery(this).serialize()+"&pwg_token="+pwg_token,
    6060      beforeSend: function() {
    6161        jQuery("#addUserForm .errors").hide();
     
    346346      type:"POST",
    347347      data: {
     348        pwg_token:pwg_token,
    348349        user_id:userId,
    349350        password: jQuery('#user'+userId+' .changePassword input[type=text]').val()
     
    397398      type:"POST",
    398399      data: {
     400        pwg_token:pwg_token,
    399401        user_id:userId,
    400402        username: jQuery('#user'+userId+' .changeUsername input[type=text]').val()
     
    468470
    469471    var formData = jQuery('#user'+userId+' form').serialize();
     472    formData += '&pwg_token='+pwg_token;
    470473
    471474    if (jQuery('#user'+userId+' form select[name="group_id[]"] option:selected').length == 0) {
     
    709712    var method = 'pwg.users.setInfo';
    710713    var data = {
     714      pwg_token: pwg_token,
    711715      user_id: selection
    712716    };
     
    719723        }
    720724        method = 'pwg.users.delete';
    721         data.pwg_token = pwg_token;
    722725        break;
    723726      case 'group_associate':
  • trunk/include/ws_functions/pwg.groups.php

    r26461 r27811  
    166166function ws_groups_setInfo($params, &$service)
    167167{
     168  if (get_pwg_token() != $params['pwg_token'])
     169  {
     170    return new PwgError(403, 'Invalid security token');
     171  }
     172
    168173  $updates = array();
    169174
     
    222227function ws_groups_addUser($params, &$service)
    223228{
     229  if (get_pwg_token() != $params['pwg_token'])
     230  {
     231    return new PwgError(403, 'Invalid security token');
     232  }
     233
    224234  // does the group exist ?
    225235  $query = '
     
    265275function ws_groups_deleteUser($params, &$service)
    266276{
     277  if (get_pwg_token() != $params['pwg_token'])
     278  {
     279    return new PwgError(403, 'Invalid security token');
     280  }
     281
    267282  // does the group exist ?
    268283  $query = '
  • trunk/include/ws_functions/pwg.permissions.php

    r26461 r27811  
    147147function ws_permissions_add($params, &$service)
    148148{
     149  if (get_pwg_token() != $params['pwg_token'])
     150  {
     151    return new PwgError(403, 'Invalid security token');
     152  }
     153
    149154  include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
    150155
     
    204209function ws_permissions_remove($params, &$service)
    205210{
     211  if (get_pwg_token() != $params['pwg_token'])
     212  {
     213    return new PwgError(403, 'Invalid security token');
     214  }
     215
    206216  include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
    207217
  • trunk/include/ws_functions/pwg.users.php

    r27716 r27811  
    276276function ws_users_add($params, &$service)
    277277{
     278  if (get_pwg_token() != $params['pwg_token'])
     279  {
     280    return new PwgError(403, 'Invalid security token');
     281  }
     282 
    278283  global $conf;
    279284
     
    364369function ws_users_setInfo($params, &$service)
    365370{
     371  if (get_pwg_token() != $params['pwg_token'])
     372  {
     373    return new PwgError(403, 'Invalid security token');
     374  }
     375
    366376  global $conf, $user;
    367377
  • trunk/ws.php

    r26837 r27811  
    773773        'is_default' => array('flags'=>WS_PARAM_OPTIONAL,
    774774                              'type'=>WS_TYPE_BOOL),
     775        'pwg_token' => array(),
    775776        ),
    776777      'Updates a group. Leave a field blank to keep the current value.',
     
    786787        'user_id' =>  array('flags'=>WS_PARAM_FORCE_ARRAY,
    787788                            'type'=>WS_TYPE_ID),
     789        'pwg_token' => array(),
    788790        ),
    789791      'Adds one or more users to a group.',
     
    799801        'user_id' =>  array('flags'=>WS_PARAM_FORCE_ARRAY,
    800802                            'type'=>WS_TYPE_ID),
     803        'pwg_token' => array(),
    801804        ),
    802805      'Removes one or more users from a group.',
     
    851854        'email' =>    array('default'=>null),
    852855        'send_password_by_mail' => array('default'=>false, 'type'=>WS_TYPE_BOOL),
     856        'pwg_token' => array(),
    853857        ),
    854858      'Registers a new user.',
     
    900904        'enabled_high' =>     array('flags'=>WS_PARAM_OPTIONAL,
    901905                                    'type'=>WS_TYPE_BOOL),
     906        'pwg_token' => array(),
    902907        ),
    903908      'Updates a user. Leave a field blank to keep the current value.
     
    937942        'recursive' =>  array('default'=>false,
    938943                              'type'=>WS_TYPE_BOOL),
     944        'pwg_token' => array(),
    939945        ),
    940946      'Adds permissions to an album.',
     
    953959        'user_id' =>  array('flags'=>WS_PARAM_FORCE_ARRAY|WS_PARAM_OPTIONAL,
    954960                            'type'=>WS_TYPE_ID),
     961        'pwg_token' => array(),
    955962        ),
    956963      'Removes permissions from an album.',
Note: See TracChangeset for help on using the changeset viewer.